GDPR comes into effect on 25 May 2018. However, that does not mean that businesses can put off compliance until then.
The Data Protection Act 1998, ePrivacy and PECR all remain in force and are applicable to UK businesses. Whilst GDPR has generated many column inches and caused businesses to focus on data protection compliance, it does not mean that businesses are permitted to be non-compliant prior to May 2018.
Any new business should consider whether it needs to carry out a data protection impact assessment (DPIA). A DPIA is required where a business is using new technologies and the processing is likely to result in a high risk to the rights and freedoms of individuals. It is good practice for all new businesses and those introducing new services (particularly where a DPIA may not have previously been completed) to carry out a DPIA.
A business should ensure that it is registered with the Information Commissioner's Office and that it has disclosed the types of data it handles and what it does with that data.
Businesses will generally need a raft of additional policies and procedures to be put in place to ensure that it can demonstrate compliance with the regime.
Businesses currently have to be able to demonstrate compliance with the data protection regime and are expected to take steps to ensure that they remain compliant with the regime. GDPR imposes an explicit obligation of accountability. Businesses should undertake a quarterly review of their compliance with a DPO or external adviser and document that review.
Buckworths Compliance offers an affordably priced monthly retainer which covers quarterly reviews and any urgent needs for advice on compliance that may arise from time to time.